How to create your own hack environment
- 1. How to create your
own hack environment
By Sumedt Jitpukdebodin
- 2. # whoami
:~ # Sumedt Jitpukdebodin
:~ # Cyber Ops Consultant @ Horangi
:~ # Technical @ OWASP Thailand, Admin @ 2600Thailand
:~ # Google me :)
- 3. # why ~
:~ # Learn system administrator jobs
:~ # Learn offensive and defensive
• Do PoC from public exploit
• Analysis vulnerabilities and analysis
• Create your own challenges and make people fun with it :)
:~ # Do the lab for DevSecOps
:~ # Simulate the real world situation.
:~ # Do something weird :p
- 4. # How
• Create with your own machine (server)
• Create with cloud service
• Create with VM and container
- 5. # Differentiate
Price
(Start)
Pros Cons
Real Server 30000
- Powerful machine
- Can do everything you
want
- You own it
- Longterm solution
- Have to maintain by
yourself
Cloud Service 500~/month
- Short-term solution
- Easy to setup
- Real world environment
- Scalable
- Easy to custom
- Limit images
- High price for longterm
- Have some restriction
- 6. # why Docker
• Easy to setup and maintain
• Easy to find template
• Easy to modify
• Can run on multi-platform
• Strong community
- 7. # Install Docker on Ubuntu
16.04.2
:~ # sudo apt-get update
:~ # sudo apt-get install apt-transport-https ca-certificates
curl software-properties-common
:~ # sudo add-apt-repository "deb [arch=amd64] https://
download.docker.com/linux/ubuntu $(lsb_release -
cs) stable”
:~ # sudo apt-get update
:~ # sudo apt-get install docker-ce docker-compose
- 8. Example Docker image for
IIS (Windows)
# escape=`
FROM microsoft/windowsservercore:1803
RUN powershell -Command `
Add-WindowsFeature Web-Server; `
Invoke-WebRequest -UseBasicParsing -Uri "https://
dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.3/ServiceMonitor.exe"
-OutFile "C:ServiceMonitor.exe"
EXPOSE 80
ENTRYPOINT ["C:ServiceMonitor.exe", "w3svc"]
- 9. Example Docker image for
Nginx (Linux)
FROM debian:jessie
MAINTAINER Diego Najar
# Variables
ENV NGINX_VERSION 1.10.1-1~jessie
ENV nginx_conf /etc/nginx/nginx.conf
ENV php_conf /etc/php5/fpm/php.ini
ENV fpm_conf /etc/php5/fpm/php-fpm.conf
ENV fpm_pool /etc/php5/fpm/pool.d/www.conf
# Packages installation
RUN echo "deb http://nginx.org/packages/debian/ jessie nginx" >> /etc/apt/sources.list &&
apt-get update &&
apt-get install --no-install-recommends --no-install-suggests -y --force-yes ca-
certificates nginx nginx-module-xslt nginx-module-geoip nginx-module-image-filter nginx-
module-perl nginx-module-njs gettext-base php5-fpm supervisor
RUN sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" ${php_conf} &&
sed -i -e "s/listen = 127.0.0.1:9000/listen = /var/run/php-fpm.sock/g" ${fpm_pool}
EXPOSE 80 443
- 10. # Start Docker
:~ # docker build -t nginx-phpfpm docker-nginx-php-fpm
:~ # docker run -itd -p 80:80 nginx-phpfpm:latest
:~ # docker ps
:~ # docker exec <name> /etc/init.d/nginx restart
- 11. Example Docker Compose
for LEMP
version: ‘3'
networks:
LEMP:
services:
nginx:
image: nginx:stable-alpine
container_name: LEMP_nginx
ports:
- "8080:80"
volumes:
- ./code:/code
- ./nginx/default.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
networks:
- LEMP
mariaDB:
image: mariadb:latest
container_name: LEMP_mariaDB
volumes:
- ./database:/var/lib/mysql:rw
ports:
- "3306:3306"
depends_on:
- nginx
environment:
- MYSQL_ROOT_PASSWORD=654321
networks:
- LEMP
php:
image: php:7-fpm-alpine
container_name: LEMP_php
volumes:
- ./code:/code
ports:
- "9000:9000"
networks:
- LEMP
phpmyadmin:
image: phpmyadmin/phpmyadmin
container_name: LEMP_phpMyAdmin
ports:
- "8183:80"
environment:
PMA_ARBITRARY: 1
depends_on:
- mariaDB
networks:
- LEMP
- 12. # Vulnerable OWASP
Docker Images
• DVWA (https://github.com/infoslack/docker-dvwa)
• Juice Shop (https://hub.docker.com/r/bkimminich/juice-shop/)
• Vulnerable Wordpress by WPScan Team (https://hub.docker.com/r/
wpscanteam/vulnerablewordpress/)
• Mutillidae 2 (https://hub.docker.com/r/citizenstig/nowasp/)
• OWASP WebGoat (https://hub.docker.com/r/danmx/docker-owasp-
webgoat/)
• OWASP NodeGoat (https://github.com/owasp/
nodegoat#option-3---run-nodegoat-on-docker)
- 13. # Specific Vulnerabilities
• Apache Struts2 - CVE-2017-5638 (https://hub.docker.com/r/
piesecurity/apache-struts2-cve-2017-5638/)
• Shellshock - CVE-2014-6271 (https://github.com/Zenithar/docker-
shellshockable)
• Heartbleed - CVE-2014-0160 (https://hub.docker.com/r/hmlio/
vaas-cve-2014-0160/)
• Sambacry - CVE-2017-7494 (https://hub.docker.com/r/
vulnerables/cve-2017-7494/)
• DHClient RCE - CVE-2018-1111 (https://github.com/knqyf263/
CVE-2018-1111)
- 15. # Start Heartbleed Docker
:~ # docker pull hmlio/vaas-cve-2014-0160
:~ # docker run -d -p 8443:443 hmlio/vaas-cve-2014-0160
:~ # nmap -sV -p 8443 --script=ssl-heartbleed localhost
:~ # git clone https://github.com/mpgn/heartbleed-PoC
:~ # python2 heartbleed-exploit.py localhost 8443
- 16. # Start DHClient-RCE
Docker
:~ # git clone https://github.com/knqyf263/CVE-2018-1111
:~ # docker-compose up -d
• Attacker
:~ # docker-compose exec attacker bash
:~ # ./scripts/attack.sh
• Victim
:~ # docker-compose exec victim bash
:~ # ./scripts/victim.sh
- 18. # Docker for Security
Officer
• Kali Linux (https://www.kali.org/news/official-kali-linux-
docker-images/)
• SIFT (https://github.com/kost/docker-sift)
• REMNux (https://hub.docker.com/r/remnux/)
- 20. AWS
• AWS EC2
• Active Directory
• IIS
• SQL Server
• WAF
• NGFW
• AWS S3
• Real sh*t scenario
- 25. Step of demo#2
• Pwn client with any method (in this demo, I used psexec
but actually can be any client side attack method)
• Dump password and enumerate information inside client
• Create Socket Server on Attacker and forward package to
client via session of Metasploit for pivoting network
• Pwn Windows AD on AWS with psexec by using
credential of domain user.
- 28. Can we do anything else?
• Vulnhub
• HackTheBox
• PentesterLab
• Many Vulnerability VM/docker from many vendor.
• CTF
• etc.